Guest post by Abhinav Shashank, CEO and co-founder, Innovaccer.
Abhinav Shashank
A personal health record of any patient, whether it is an aging parent, a spouse or a child with a chronic illness, contains a summary of medications, lab results, visit notes, billing information and more, and interoperability makes it easy to manage all these files and documents with just a few clicks.
Every form of health data makes an entry in an EHR today thanks to the shift towards a digitized healthcare in U.S. Although this has made data entry, storage, retrieval and exchange easier, it has brought with it certain challenges. Integrating and utilizing EHRs is the first baby step; however, if we are to overcome all the hurdles then achieving 100 percent EHR interoperability is the summit where we are yet to reach.
Physicians want to optimize the full potential and promise of EHRs for the simple reason that improved communication between systems will lead to a better and enhanced care. Once all the systems in use nationwide are connected and interacting with each other, patients will find it easier to seek a second opinion as their health information will reach the physician in a matter of seconds.
How interoperability exists today
Today, various interoperability standards have developed for the sake of continuous improvement in this realm. Health Level Seven (HL7) has produced the likes of HL7v2, HL7v3, and the latest FHIR as competent standards that exist in the industry for better streamlining of documentation and care coordination. With the help of FHIR, physicians can access health data on their mobile phones through various API (Application Programming Interface) functions that FHIR supports. This ease of access to complete and accurate patient data, in due course, helps in many ways. As providers and health coaches work together on improving the health of people, it also significant for them to be able to access accurate data from sources other than EHRs. Apart from EHRs, HIEs have popped up in various places that allow for the smooth flow of data across the health care network.
Ways in which interoperability facilitates healthcare
Physicians can easily access and share medical information with their patients and perform their tasks with greater efficiency. This could be done by increasing the efficiency of monitoring chronic diseases. Besides saving time and labor cost, physicians and patients with access to interoperable health information can benefit from higher-quality patient outcomes. Interoperable EHRs carry the potential of giving easy and ongoing access to patient’s health records to the physician. For a doctor to have an updated and detailed medical history of his patient cannot just be live-saving, it will mainly help those people who are always on the move. This will empower an individual to move across the continuum of care seamlessly with their clinical record.
Doing more with less
As value-based care and reimbursements stepped into healthcare, the US managed to turn the tide towards a more qualitative and equitable delivery of care. This has made physicians more responsible for better patient health outcomes than ever before. To manage hospital readmission and managed care plans, physicians need to have as much patient information as possible at hand at all times. This is where interoperability comes into play by aggregating and relaying data from disparate regions and bringing it onto a single platform.
For a secure data exchange to take place amongst healthcare organizations and patients, it’s important that both parties are willing and equally involved in the sharing process. This will inevitably lead to shared decision making apart from the fact that the physician will be able to make quick and informed decisions. The ultimate aim is to have a complete understanding of the health status of patients and helping them navigate effectively in their health journey for a better patient experience.
Patient-centric interoperability is the direction in which healthcare is slowly moving. There’s so much that we can do with the availability of data. Ongoing monitoring of patient data can better facilitate the ongoing management of that patient’s health and the physician can intervene where necessary. With this, patients too can track their progress and work towards improving their health hand-in-hand with the physicians.
Challenges that interoperability is yet to solve
One of the issues that interoperability is dealing with today is the vast and disjointed patient data that exists in regional HIEs and independent, transactional databases like EHRs. Along with this, patient privacy concerns and consent are other risk factors that need to be considered when diving through protected health information data. Lack of a common standard, state policy rules, workflow and policy difference and the need for incentives are some barriers in the way of achieving 100 percent interoperability.
Guest post by Cheong Ang, co-founder and CTO, LucidAct Health.
Cheong Ang
As a provider, you probably have been living with meaningful use in the last many years, and now, MACRA (Medicare Access and CHIP Reauthorization Act), which combines parts of the Physician Quality Reporting System (PQRS), Value-based Payment Modifier (VBM), and the Medicare electronic health record incentive program into the Merit-based Incentive Payment System, or MIPS.
What really is the part of MIPS that matters, for this year and next, anyway? 2017 is the transition year of MACRA, but you need to report something (for various measures) or lose 4 percent Medicare payment adjustment in 2019. If you make a partial-year (90 consecutive days) report by October 1, depending on how you fare against the CMS’ annual performance benchmark, there may even be a chance to get a positive Medicare payment adjustment. In general, a provider will report in the four MIPS performance categories: quality (weighted 60 percent of total in 2017), cost (not weighted in 2017), improvement activities (loosely “care coordination,” 15 percent ), and Advancing Care Information (“EHR use”, 25 percent). Then in 2018 and 2019, with improvement activities and advancing care information remain the same, the quality category will be weighted 50 percent and 30 percent respectively, giving way to cost (10 percent and 30 percent in each of 2018 and 2019).
This sounds like high school all over again – the authority sets the goals that arguably lead you to learn the materials that matter, and grade you on them. If you score well in the four MIPS performance categories, chances are your operations are running quite well. But deep down, perhaps your priorities are simply to provide great patient care, and get compensated for your expertise and services. Then this high-school approach of grading your services, and you – yes, your performance score will be available publicly on the Physician Compare website – becomes a distraction that few providers like to deal with.
So how will you live with this reality? One approach is to actually embrace and integrate MIPS into your operations! Then all MIPS requirements don’t just become some checkbox items you try to complete, but actually a tool to improve your operations. Here are three ways to “take advantage” of MIPS as a guideline to help you thrive:
Embrace a Data-driven Approach
Run your operations based on data. Many EHRs provide at least some basic level of reports that allow you to keep a finger on the pulse of your operations. Make the relevant reports accessible to your team. For the metrics that are relevant to your operations, dedicate a periodic review session to keep everyone abreast of the numbers, and your targets. To leverage MIPS to improve your bottom line, you will want at least some level of visibility through these reports how working those numbers will bring more revenues and/or patient satisfaction, or lower cost. Then it will become clear MIPS can benefit your operations.
Integrate MIPS Efforts Into Your Workflow
Then the team is to identify and make sure they engage the patients that fall in the categories of the reporting metrics to complete the required actions. While in a smaller clinic, some way of patient tracking; e.g. shared call list, may work fine. If your targets involve hundreds or even thousands of patients over a period of time, an automated, smart workflow approach will serve the situation much better. The smart workflow approach is part of the turnkey service my team at LucidAct built after experiencing such patient-care collaboration problems at San Francisco General Hospital in a consulting engagement. Smart workflows keep track of what have been done by whom for a patient, and conditionally activates the next task(s). It can also automate tasks such as calling a patient. Such care-action details in conjunction with the reports above will reveal how the team’s efforts chisel (or not) off the workloads, and improve the bottom line. Having them available in the review sessions ties the effectiveness of the team’s efforts back to the MIPS targets, allowing you to make adjustments to your operations as needed.
Paubox is a San Francisco-based startup that focuses on making HIPAA-compliant email easy to accomplish for the healthcare industry. Rather than making encryption cumbersome for the user, Paubox makes it easy without adding additional steps. This makes adoption and deployment of Paubox easy for any size organization, from the single doctor private practice to the largest hospital.
Elevator pitch
Paubox is the easiest way to send and receive secure, HIPAA-compliant email. There are no portals to login to, no software or apps to install, no extra steps for senders or recipients. Users can just write and send email as normal from any device and Paubox will do the rest to deliver encrypted email straight to the recipient’s inbox.
Product/service description
Paubox encrypted email is the easiest to use HIPAA-compliant email solution for the healthcare industry. Using military grade encryption, Paubox focuses on the user first, allowing for seamless inbox-to-inbox email delivery without any extra steps.
Rather than limiting seamless delivery to a closed network, or requiring a button press or to enable secure email, Paubox allows users to just write and send email as normal from any device. Recipients will get encrypted email straight to their inbox without needing to login to portals or download and open an app.
Because of its ease of use, Paubox can deploy within hours for any size organization.
Customers can host their email with Paubox, or keep their existing email address. Paubox integrates with all major commercial email platforms like Outlook, Office 365 and Google Apps.
In addition, Paubox encrypted email includes inbound encryption and protection against ransomware, malware, virus, SPAM and phishing attacks. This extra security is especially important since many data breaches occur from malicious inbound email.
Paubox also offers an Encrypted Email API that allows organizations and developers to integrate seamless email encryption with their apps, patient portals and EHR management software.
Founder’s story
Like all great companies, Paubox was founded to solve the needs of its customers.
Hoala Greevy
Founder and CEO Hoala Greevy has moe than 18 years of experience in email security. After beginning his career at Critical Path, he founded Hawaii’s first email security company in 2003 called Pau Spam, which has since filtered more than one billion messages.
In 2014, when speaking to one of his Pau Spam customers, Make-A-Wish Foundation of Hawaii, Greevy discovered a need for easy to use encryption solutions that could meet industry regulations. There was no solution in the marketplace that was affordable, secure, and easy to use. From those initial discussions, Greevy founded Paubox and continues to develop features and products to fit the market’s needs.
Marketing/promotion strategy
Paubox offers its solutions both direct and through a network of trusted IT partners. Pricing is annual with discounts available for larger customers. In addition to encrypted email, Paubox also offers complimentary products that customers can select, including encrypted online forms, online storage and encrypted email API.
The healthcare sector is one of those that has always embraced emerging technologies to make better use of technological innovations. And now artificial intelligence (AI) is gradually making its way into the healthcare market with all its power to disrupt.
The annual investment in artificial intelligence for healthcare will grow tenfold in the next five years, becoming a $6 billion industry by 2021 – estimates Frost & Sullivan. They have also forecasted that by 2025, AI systems could be involved in everything from population health management to digital avatars capable of answering specific patient queries.
In healthcare, the opportunity for AI is not just limited to making doctors and medical providers more competent in their work; in fact, it’s about saving lives and making the lives of the patients better. Whether it is for improving the standard of treatment, patient outcomes, healthful behavior, new drug development, weight loss advice or cost reduction, the possibilities of artificial intelligence in the healthcare industry are enormous.
Six amazing use cases of artificial intelligence in healthcare sector:
AI for effective treatment
Although, healthcare generates a huge amount of data due to record keeping, patient care, and compliance & regulatory requirements, it struggles to efficiently utilize the flood of data and convert it into useful insights to improve the value of care. Artificial intelligence helps in making sense of the huge data streams gathered from hospitals and health IT systems by identifying the relationships and patterns between patients, symptoms, and more to provide the right treatment at the right time.
AI for the patient’s caregivers
A lot of modern healthcare providers have adopted AI-driven apps for scanning the findings of a patient’s laboratory tests, as well as drug orders, and sending relevant updates, alerts, and reminders to patients. This application interacts with patients just as a human would to understand the mental condition of the patient and have an impact on monitoring patients when clinicians are not available. For example, AiCure is a clinically authenticated artificial intelligence platform that visually confirms whether the patient has consumed the prescribed medicines on time.
AI for smart drug development
According to figures from a Tufts University study and the U.S. Food and Drug Administration, developing a new drug costs an average of nearly $2.6 billion and can take as long as 14 years. This lengthy process covers identifying the demographic information, multi-gene interaction, proteins, environmental effects, optimizing the molecule for effective delivery to patients, carrying out clinical trials, drug efficacy testing and more. The latest innovations in AI can greatly aid in converting a drug discovery idea from initial inception to a market-ready product rapidly by predicting the therapeutic use of new drugs before they are put to test. This might sound like a small thing to some, however, for researchers it a huge one, who otherwise would have to make these predictions after conducting various tedious experiments. For example, Johnson & Johnson and Sanofi are using IBM Watson to discover new targets for FDA approved drugs.
Guest post Gene Fry, vice president of technology and compliance officer, Scrypt, Inc.
Eugene Fry
According to the 2016 Survey of America’s Physicians, around 70 percent of the nearly 800,000 physicians in active patient care in the U.S. work independently or in practices consisting of 30 physicians or fewer. For these small and medium sized practices, maintaining a robust HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance strategy is extremely difficult. In fact, one report suggests a third of small practices do not have a HIPAA compliance plan in place at all[1], which is a worrying statistic, given the potential repercussions of a HIPAA breach.
Only last year, HHS’ Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security rules, announced an initiative to more widely investigate smaller HIPAA breaches. While this may not have been directly aimed at small practices – small breaches can just as easily occur at large organizations – it provided a stark reminder to all covered entities that no organization is exempt from the rules, and noncompliance is noncompliance, regardless of magnitude or intent.
To highlight this, back in 2012, Phoenix Cardiac Surgery — a four-physician practice based in Arizona — was fined $100,000 and required to take corrective actions, after it was revealed the company had been using a publically accessible calendar service to transmit ePHI to employees’ private email accounts. This violation would have been avoidable, had the offender known the use of such technologies by a medical practice is prohibited under HIPAA.
Small and medium practices, big responsibilities
Keeping on top of HIPAA compliance, alongside the many other regulatory constraints that come with managing a busy medical practice, is a challenge for any organization, but small and medium practices typically have fewer resources and less budget to manage and mitigate risks effectively in-house, so the challenge is larger than most.
Managing a full-time HIPAA compliance program, for example, is simply not feasible for most small organizations, as they are unlikely to have staff members who possess the necessary skills to lead a team in promoting HIPAA best practices, as well as undertaking risk assessments and so on. As such, all responsibility lands with the medical staff, who must assume dual roles; as both clinicians, and compliance experts. While it could be argued that every medical professional should be well versed in HIPAA compliance anyway, the reality is not all are, and this presents major security and privacy risks.
The good news is, there are some relatively easy steps small- and medium-sized practices can take to significantly minimize the risk of a HIPAA breach occurring, that don’t require any major financial investment. While the following points are not a definitive list of HIPAA requirements, they should provide a good starting point.
Start with the basics and build up
HIPAA is complex and often overwhelming, but there’s no point worrying about the small details if the fundamentals are not in place. Organizations must ensure that all staff are familiar with the following key areas of HIPAA:
Why HIPAA exists and who it covers
Key requirements under the HIPAA Privacy Rule, the Security Rule and the Breach Notification Rule
Protected Health Information (PHI/ePHI) and the key personal identifiers
HIPAA enforcement and the consequences of noncompliance
Their responsibilities as an individual within the organization
Guest post by Lucas Vogel, principal consultant, Endpoint Systems.
Lucas Vogel
Imagine being a software developer at a company where your job description involves building HIPAA-compliant apps and services. As you onboard with your new company, you receive some formal basic training and learn about the privacy, security and breach notification rules, and after some additional training on various topics about your job, you enter your department and get acquainted with your work environment. This is the point where you find out what you’re really getting yourself into.
There is a direct correlation between the maturity level of applications developed in your organization and the quality of your work life. For example, if you walk into a developer role for a healthcare provider, you’re likely walking into a large and well-established IT group with many old and new technology platforms deployed, where you’ll take your place with a department that’s existed for several years and does fairly predictable work on prebuilt systems. But let’s say you’re working at the more cutting edge of healthcare technology, at a startup straddling innovation with compliance. In that case, understanding HIPAA compliance can feel incredibly daunting, especially as you may essentially be learning as you go with little guidance.
The good news is that it’s never been a better time to work on HIPAA-compliant healthcare apps. Advances in identity and access management (IAM) and consent frameworks make it easier for apps to authenticate, authorize and audit users, logging who is performing what within your application; advances in machine learning make it easier to parse these log streams, detecting threats and anomalies to application use, among other countless benefits. Further advances in application architecture, cloud and API technologies, database and container platforms (not to mention containerized database platforms), and development methodologies over the past decade have dramatically changed the way companies build applications and deploy platforms, culminating in what is known as the “twelve-factor application.”
This summer, the U.S.-based pharmaceutical giant Merck has suffered the Petya ransomware attack that required to hand over a ransom or have its computers remain locked and inaccessible. One month before, the WannaCry ransomware attack devastated many big organizations around the world, including national healthcare organizations such as UK’s National Health Service (NHS).
Last week, cybersecurity experts warned that medical care would suffer from new additional risks they are not prepared to handle. The new threats are coming from the “Internet of Bodies” – IoT devices incorporated into human bodies for medical purposes.
“Healthcare companies are probably the most susceptible to upcoming ransomware attacks – and these attacks will come again, we have no doubts about it,” said Marty P. Kamden, IT security expert and CMO at NordVPN. “Outdated technology, lack of experience in managing the IT sector, and vulnerabilities of the new Internet-connected medical devices pose a grave danger to the safety and even lives of thousands of medical patients around the world.”
In fact, several months ago, the FBI (United States Federal Bureau of Investigation) issued a warning to all healthcare sector companies to remain vigilant of new cyber threats, possibly stemming from foreign governments.
Here is NordVPN’s advice about protecting healthcare companies from cyberattacks:
Don’t use FTP servers operating in anonymous mode. According to FBI, “some criminal actors from abroad are trying to target protected healthcare information (PHI) and other personally identifiable info (PII) from medical facilities to intimidate, harass, and blackmail business owners.” FBI was alerting healthcare companies against the use of FTP servers operating in anonymous mode.
You are as strong as your weakest link. Healthcare companies should choose their suppliers carefully and should work together with them to tighten overall IT security. The new trend is supply-chain attacks: attackers look for the weakest link in the supply chain to install their malware, which will affect all the companies within the chain. The supply-chain vulnerability was used in the destructive NotPetya attack, originating in Ukraine and branching out to various European and U.S. organizations.
Use a VPN. Healthcare organizations usually use Intranet for private internal communications, which include local area networks (LAN) as well as on-site networks. When employees need to access the organization’s Intranet while traveling or working remotely, they should use virtual private networks (VPNs) for a secure connection. When using a public or unprotected WiFi connection, VPNs create an encrypted tunnel that connects the computer and the Intranet or VPN server. This tunnel protects the connection from public access, should there be hackers ready to breach the system.
Many healthcare organizations refer to the at-home, at-risk patients as the “sickest of the sick.” Unfortunately, these patients may receive inadequate care and attention after being discharged and often rely on emergency medical services and/or the ED to answer questions and provide care in non-emergency situations. The model for treating these patients and attempting to keep them at-home (and not back in the hospital) has not changed substantially in decades. In an attempt to minimize re-admissions, hospitals may schedule case managers and/or nurses to physically visit these patients at-home in an effort to help the patients stay on track with their adherence.
However, this continuum of care model is not sustainable. The budget and resourcing implications are significant when most of the staff’s time is spent behind the wheel vs. in front of the patient. Significant opportunities exist for telehealth solutions to bring the care closer to the patient — at a more convenient and cost-effective manner for all involved.
Why Reducing Readmissions Matters From the patients’ perspective, returning to the ED and potentially being re-admitted is disruptive and stressful for patients and family. Patients may be put at an additional risk for hospital-acquired infections and complication. Returning to the hospital can also lower the rate of patient satisfaction and weaken overall outcomes.
From the perspectives of health systems and health plans, readmissions are costly. Since the introduction of HRRP (Hospital Readmission Reduction Program), hospitals that exceeded the national average of readmissions for specific conditions (within the 30-day window) have been penalized by a reduction of payments across all of their Medicare admissions. More than half of hospitals in the HRRP program were penalized the past five years, resulting in $528 million in withheld Medicare payments. Re-admissions can also negatively impact measures in Hospital Compare data, levels of provider satisfaction and the health system’s overall reputation in the community it serves. Re-admissions cost more than $26 billion annually but $17 billion is considered avoidable.
What Happens Today Keeping at-risk patients at-home is critical to reducing re-admissions and the associated consequences. Typical discharge programs with in-person appointment schedules often fail the at-home, at-risk patient, the providers, and the healthcare system by insufficiently engaging the patient at the point of discharge and upon returning home. The rates of patients being readmitted are significant:
Nearly 20 percent Medicare patients are readmitted within 30 days.
34 percent of Medicare patients are readmitted within 90 days and 56 percent within 1 year.
64 percent received no post-hospital care between discharge and readmission.
What happens in-hospital and at-home which leads to this situation? In-hospital experiences can adversely affect health and contribute to substantial impairments during the early recovery period, an inability to fend off disease, and simple mental error. As a result, patients may leave the hospital deprived of sleep, experiencing pain and discomfort, without sufficient nourishment, and with medications which may alter cognition and physical function.
When a patient is discharged, the patient may continue to face physical, emotional and even financial issues, depending on one’s condition, health history and home environment. A patient may be discharged without adequate instructions and information for self-care and follow-up. The patient may be provided with comprehensive verbal instructions but quickly forget the detailed instruction. Written instructions may be provided to the patient but the patient may fail to keep the information handy and/or share the information with family/friends serving as caregivers. Internalizing the discharge program and being able to practice self-care may also be negatively impacted by a patient’s level of English proficiency, health literacy, socio-economic status, gender and cultural background.
Paubox is a San Francisco-based startup that focuses on making HIPAA-compliant email easy to accomplish for the healthcare industry. Rather than making encryption cumbersome for the user, Paubox makes it easy without adding additional steps. This makes adoption and deployment of Paubox easy for any size organization, from the single doctor private practice to the largest hospital.
